SoftwareTestPilot
Manual TestingPublished: Updated: · 3 days ago9 min read

OWASP Security Testing Checklist: Complete 2026 Guide

Complete 2026 OWASP security testing checklist. OWASP Top 10 for web and API, hands-on test cases for SQL injection, XSS, BOLA, and security automation in CI/CD.

Avinash Kamble
Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp
OWASP Security Testing Checklist — OWASP Top 10 and API Security Top 10
OWASP Security Testing Checklist — OWASP Top 10 and API Security Top 10
In this article
  1. Why OWASP security testing matters in 2026
  2. OWASP Top 10 (Web Applications, 2021)
  3. OWASP API Security Top 10 (2023)
  4. Tools for security testing
  5. How to test with OWASP ZAP
  6. Security test reporting (CVSS severity)
  7. Common OWASP security testing mistakes
  8. Continue your security testing journey
  9. Frequently asked questions

Last updated: June 29, 2026 · 9 min read

This OWASP security testing checklist gives you the complete framework for testing web applications and APIs in 2026 — covering the OWASP Top 10, the OWASP API Security Top 10, and hands-on test cases you can run today. For deeper tool walkthroughs, pair it with our Security Testing Tutorial and API Testing Tutorial.

Why OWASP security testing matters in 2026

  • Average breach cost in 2026: $4.88 million (IBM)
  • Regulatory pressure — GDPR, HIPAA, PCI-DSS, EU AI Act
  • API is the new perimeter — 80%+ of attacks target APIs
  • AI-generated code introduces new vulnerability classes — see our GitHub Copilot for QA guide.

OWASP Top 10 (Web Applications, 2021)

A01 — Broken Access Control

TC — User cannot access other user's data
1. Log in as User A (id=123)
2. Try GET /users/124/profile
3. Expected: 403 Forbidden

TC — Admin endpoint protected
1. Log in as regular user
2. Try POST /admin/users
3. Expected: 403 Forbidden

A02 — Cryptographic Failures

TC — HTTPS enforced
1. Navigate to http://example.com
2. Expected: Redirect to https://example.com

TC — HSTS header present
1. Inspect response headers
2. Expected: Strict-Transport-Security present

TC — Cookies have HttpOnly and Secure
1. Log in
2. Inspect cookies in DevTools
3. Expected: HttpOnly and Secure flags set

A03 — Injection (SQL, NoSQL, LDAP, OS)

TC — SQL injection rejected
1. Enter ' OR '1'='1 as email
2. Expected: Validation error, no SQL executed

TC — XSS prevented
1. Enter <script>alert('xss')</script> as name
2. Expected: Script not rendered as code

TC — NoSQL injection rejected
1. Enter {"$gt": ""} as email
2. Expected: Validation error

A04 — Insecure Design

TC — Rate limiting on login
1. Submit wrong password 10 times
2. Expected: 429 Too Many Requests after threshold

TC — Critical ops require re-auth
1. Initiate password change
2. Expected: Re-authentication required

A05 — Security Misconfiguration

TC — Default credentials don't work
1. Try admin/admin, root/root
2. Expected: Authentication fails

TC — Security headers present
1. Inspect response headers
2. Expected: CSP, X-Frame-Options, X-Content-Type-Options

TC — Stack traces not exposed
1. Trigger an error in production
2. Expected: Generic error page, no stack trace

A06 — Vulnerable Components

TC — npm audit clean
1. Run npm audit
2. Expected: No high or critical vulnerabilities

TC — Dependencies within support window
1. List all dependencies
2. Expected: All within support window

A07 — Authentication Failures

TC — Password complexity enforced
1. Try password "123"
2. Expected: Rejected with complexity error

TC — Account lockout after failed attempts
1. Try wrong password 10 times
2. Expected: Account locked

TC — JWT validation
1. Modify JWT payload (don't change signature)
2. Expected: 401 Unauthorized

A08 — Data Integrity Failures

TC — Auto-update signatures verified
1. Trigger update
2. Expected: Signature verification passes

TC — Deserialization doesn't accept untrusted
1. Send malicious serialized data
2. Expected: Rejected

A09 — Logging Failures

TC — Failed login is logged
1. Submit wrong password
2. Check logs
3. Expected: Failed login event logged

TC — Privilege escalation is logged
1. Attempt to access admin endpoint as user
2. Check logs
3. Expected: Privilege escalation event logged

A10 — SSRF

TC — Server rejects internal URL fetch
1. POST /upload with URL http://localhost:8080/admin
2. Expected: Rejected

TC — AWS metadata blocked
1. POST /upload with URL http://169.254.169.254/
2. Expected: Rejected

OWASP API Security Top 10 (2023)

Test every endpoint that takes an ID — pair this section with our API Testing Interview Questions and Postman API Testing Tutorial.

API1 — Broken Object Level Authorization (BOLA)

The #1 API vulnerability in 2026.

TC — User cannot access other user's object
1. Log in as User A (token_A, id=123)
2. GET /api/users/124 with token_A
3. Expected: 403 Forbidden

API2 — Broken Authentication

TC — Missing token rejected
1. GET /api/users without Authorization header
2. Expected: 401 Unauthorized

TC — Expired token rejected
1. Use expired JWT
2. Expected: 401 Unauthorized

API3 — Broken Object Property Level Authorization

TC — Cannot set admin role via API
1. PATCH /api/users/123 with {"role": "admin"}
2. Expected: 403 Forbidden or role ignored

API4 — Unrestricted Resource Consumption

TC — Rate limiting on API
1. Send 10,000 requests in 1 second
2. Expected: 429 Too Many Requests after threshold

TC — Large payload rejected
1. Send 100MB JSON payload
2. Expected: 413 Payload Too Large

API5 — Broken Function Level Authorization

TC — Regular user cannot access admin endpoint
1. Log in as regular user
2. POST /api/admin/users
3. Expected: 403 Forbidden

API6 — Unrestricted Sensitive Business Flows

TC — Coupon abuse prevented
1. Apply same coupon code 1,000 times
2. Expected: Rate limited or CAPTCHA after threshold

API7 — SSRF

TC — Internal URL fetch rejected
1. POST /api/upload with URL http://internal-service
2. Expected: Rejected

API8 — Security Misconfiguration

TC — CORS not too permissive
1. Request from external origin
2. Expected: CORS headers restrict origins

TC — Error messages don't leak details
1. Trigger error in production
2. Expected: Generic message, no stack trace

API9 — Improper Inventory Management

TC — Old API versions disabled
1. Try /api/v1/ (deprecated)
2. Expected: 404 Not Found

TC — Staging not exposed
1. Try /staging/, /dev/, /test/
2. Expected: Not accessible

API10 — Unsafe Consumption of APIs

TC — Third-party API responses validated
1. Mock third-party API with malformed response
2. Expected: App rejects or handles gracefully

Tools for security testing

SAST (Static Analysis)

ToolFree tier
SonarQubeCommunity Edition
SemgrepYes
GitHub Code ScanningPublic repos
Snyk CodeLimited

SCA (Software Composition Analysis)

ToolFree tier
npm auditYes
pip-auditYes
OWASP Dependency-CheckYes
Snyk Open SourceLimited

DAST (Dynamic Analysis)

ToolFree tier
OWASP ZAPYes (full)
Burp Suite CommunityYes
StackHawkLimited

How to test with OWASP ZAP

Quick scan

docker run -v $(pwd):/zap/wrk:rw \
    owasp/zap2docker-stable zap-baseline.py \
    -t https://staging.example.com \
    -r zap-report.html

CI/CD integration

- name: OWASP ZAP Scan
  uses: zaproxy/action-baseline@v0.7.0
  with:
    target: 'https://staging.example.com'

Plug this into your existing pipeline patterns from our CI/CD Pipeline Testing Tutorial and GitHub Actions for Automation Testing guide.

Security test reporting (CVSS severity)

SeverityCVSSExample
Critical9.0–10.0RCE, unauth admin
High7.0–8.9BOLA, SQL injection
Medium4.0–6.9XSS reflected
Low0.1–3.9Info disclosure
Info0.0Best practice violation

For the full security bug report template, see our Security Testing Tutorial.

Common OWASP security testing mistakes

1 — Testing only with automated tools

Automated tools catch 30–50% of issues. Manual testing catches the rest.

2 — Not testing authentication thoroughly

Cover password complexity, account lockout, MFA bypass, JWT validation, and session timeout.

3 — Skipping authorization tests

For every endpoint, test anonymous access, wrong-role access, and right-role access.

4 — Not testing for BOLA

BOLA is the #1 API vulnerability. Walk IDs in URLs: /users/123/users/124.

5 — Trusting third-party APIs

Validate third-party API responses. Don't trust them blindly.

6 — Not testing error responses

500 errors shouldn't expose stack traces. 404s shouldn't reveal which resources exist.

7 — Not updating security tests

Threats evolve. Refresh your security test suite quarterly.

8 — Skipping rate limiting tests

Rate-limit logins, API calls, and resource creation to prevent abuse and DoS.

Frequently asked questions

What is OWASP?

OWASP (Open Worldwide Application Security Project) is a nonprofit foundation that publishes security standards, including the Top 10 lists.

What's the difference between OWASP Top 10 (Web) and OWASP API Top 10?

Web Top 10 covers web application vulnerabilities. API Top 10 covers API-specific vulnerabilities — most notably BOLA.

What's the #1 API vulnerability in 2026?

BOLA (Broken Object Level Authorization) — access other users' objects by changing IDs in URLs.

How do I run security tests in CI/CD?

Use OWASP ZAP for DAST, Snyk or npm audit for SCA, and SonarQube for SAST. All three give comprehensive coverage.

How long does a full security audit take?

1–2 weeks for a comprehensive audit. Ongoing security testing is continuous.

What's the cost of a data breach in 2026?

$4.88 million average per IBM's Cost of a Data Breach Report. Some breaches cost $100M+.

Keep going

Practice these questions

Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Keep building your QA edge

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • ⚡ Ready-to-use testing strategy templates
  • 🔥 Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access